Hello,
this is something I stumbled on and haven't been able to find the solution so far.
Followed
http://technet.microsoft.com/en-us/library/cc731607%28WS.10%29.aspx
and many other similar threads which practically describe the same.
My setup is:
DC with default domain controller policy in which under Advanced Audit Policy Configuration>Account Management>Audit User Account Management is enabled for success events.
Also under Advanced Audit Policy Configuration>DS Access>Audit Directory Service Access and Audit Directory Service Changes are enabled for success.
I also set SACL on the OU where the user account I want to monitor resides for everyone giving "write all properties" to this and all descendant objects.
Then went ahead and changed the telephone number or office attribute Security log did not log any event related to this. If I make other change like changing UPN suffix, or add description that gets logged.
This is baffling me as I think the setup is correct and in the link above it's specifically says
"For example, if there is no ACE in a SACL requiring Write Property access on the telephone number attribute of a user object to be audited, no auditing events are generated when the telephone number attribute is modified"
I've set ACE so the telephone number change should be logged.
I should also add that I also tried with Local Policy>Audit Policy>Audit Account Management and Audit Directory Service Access instead of Advanced Audit Policy Configuration using auditpol to enable the necessary sub categories but that didn't make a difference. Also I tried different groups setting SACL in advanced security like domain users and authenticated users, to no avail.
Any help going in the right direction would be greatly appreciated.